Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Life after GDPR: Implications for Cybersecurity - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Life after GDPR: Implications for Cybersecurity

It’s not much discussed in the United States, but the EU’s landmark General Data Privacy Regulation will soon become the law that governs how data must be protected, stored, and processed for European citizens. This, of course, has great effect for those organizations doing business in Europe but it has had and will have a myriad of side-effects that we’ll be dealing with for years to come. This is especially true for cybersecurity professionals and those who investigate crime on the internet.

For almost 2 years, debate has gone on at an ICANN working group on the future of Whois, the protocol that allows anyone to see registrant information for any domain on the internet (unless otherwise protected). Whois has been under fire from time to time by privacy activists and data protection authorities and now that conflict has reached a boiling point over GDPR. On the one hand, in a subset of cases personal information (unless you buy privacy protection) is published with phone numbers, emails, and mailing addresses. On the other hand, security investigators, researchers, and data scientists use this data in a variety of ways to find malicious domains and protect their constituents.

The debate at times has been heated with a registrar infamously calling anti-spam groups “blackhats” but after spending months in this group, it’s pretty clear that free and meaningful access to full whois data is going away. So the question becomes, now what? And what does this mean for other forms of data useful for threat research?

Whois, and certainly the commercial services built on top of that data, are useful for correlating malicious activity. During the French Presidential campaign (and the upcoming midterm elections in the United States), it is possible to find other domains with the same registrant details to identify multiple resources used by the adversary. It makes it possible to identify if domains are owned by who they purport to be, or provide essential contact information to resolve problems.

One of the problems I have, from time to time, is how to contact victims when I see their resources are compromised as often they won’t list data on their website. Whois data can, of course, be wrong… but even in those situations it is useful.

Luckily, for the broader class of threat data, it seems others are taking a more nuanced approach. This guide from the MISP Project talks about the implications in detail and points out recital 49 of GDPR encourages these kinds of sharing arrangements to continue.

If Whois does go away, how will it impact your organization and what plans do you have to accommodate those needs if it does?

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

John

248 Posts
ISC Handler
This is an interesting GDPR side affect I hadn't considered. I'm not a lawyer, but seems to be there is a vested public interest in sharing this info and that interest should allow registrars to share WHOIS data with CSIRTs, researchers, and others with a legitimate need for it. That said, this would require each registrar to do the right thing, no? Can we really depend on them looking out for this public interest despite fears of running afoul of regulation? Doubt it.
Anonymous
Posts
Have you heard of this initiative? https://securitytxt.org/

This would at least address the "need to contact somebody urgently" issue.
Anonymous
Posts
Much ado about nothing... Now everyone get's to sit behind a whois guard, why is ICANN even trippin? Tell registrars that your users are now an ID#, and you (registrar) manage/facilitate the ID#. Physical address was always meaningless, and back n da day we used "postmaster", "hostmaster", "abuse" etc... @domain.com as our contacts anyway. We never put our real names... Phone and Fax too, worthless, the email address is all that you need on a whois. If I have to start emailing 1qaz2wsx3edc4rfv@registrar.com to report abuse or inform them their domain has been own'd, fine.
-pfft
Anonymous
Posts
I didn't want to put it in the post, but some of the loudest voices at ICANN all but called anti-spam/anti-abuse organizations "black hat groups", so I'm pretty confident where registries/registrars are going to land on this.
John

248 Posts Posts
ISC Handler
I use WHOIS all the time to determine how to block "attacks" on my e-mail server. Almost 100% of my connections that matter are from the US. For a connection that is not from the US (as determined by WHOIS, e.g., APNIC, RIPE, LACNIC, AFRINIC, non-US ARIN), if it's an "attack," I usually block a range containing the IP address. If I can no longer get the WHOIS information, I will be harmed in the sense I will have to start blocking single IP addresses. This will cost me and others more time, as it will teach the "bad actors" that some connections can get through. Someone's always changing something...
robv

9 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!